Thursday, July 2, 2009

Security Guard Charged with Hacking Hospital Systems

The grainy video shows a bleary-eyed young man in a hoodie inside the Carrell Clinic in Dallas. As he hits the elevator button, the theme music from Mission Impossible plays in the background. "You're on a mission with me: Infiltration," he says to the camera.

Then in the course of the next five minutes, the man, who says he hasn't slept in three days, uses a security key to roam the halls of the hospital and install malicious botnet software on a computer there.

He says he's "infiltrated a very large corporate office," but according to the FBI, he was just working the night shift as a security guard, pretending to break into the very building he was supposed to be guarding.

On Friday the federal authorities arrested the man in the video, Jesse William McGraw, on a charge of felony computer intrusion, saying he intended to use the botnet to launch a massive distributed denial-of-service (DDoS) attack on July 4, the day after he was set to stop working there. He'd nicknamed the day "Devil's Day."

McGraw was an employee of a Dallas security company called United Protection Services; he worked the 11 p.m. to 7 a.m. shift at the clinic.

McGraw, who went by the hacker name GhostExodus, allegedly installed malicious software in computers all over the Carrell Clinic, including systems that contained confidential information and others that managed the building's climate-control systems, authorities said Tuesday.

The hacker could have harmed patients or damaged supplies of drugs if he had turned off air conditioning during the hot Texas summer, authorities said.

GhostExodus' Mission Impossible video was one of several that he posted to YouTube. They have since been removed, but copies were seen by the IDG News Service. One video named in court filings that was not deleted shows him skillfully playing a violin.

GhostExodus may have seen his arrest coming.

In a March 14 online journal entry, he said that an enemy was fabricating evidence against him and that he was erasing his tracks, but he did leave some tracks on the Web. For example, there's a May 24 forum post in which he brags about his hacking and posts screenshots of the administrative interface to the hospital's heating, ventilation and air conditioning systems. "Spreading botnets is boring. But sometimes you get a hefty prize for all your hard work and labor," he wrote. "Like this you see below. An HVAC server."

McGraw talks like a big-time spy, but he makes some silly mistakes. In one video he puts on surgical gloves -- presumably to hide his fingerprints -- after typing on the computer he plans to hack. In another, he crops the video so that his face is not visible, but then shows off a fake FBI identity card -- with his picture on it. Then there's the fact that he posted the whole thing on YouTube.

His undoing came when a member of his hacker group, called the Electronik Tribulation Army, boasted to security researcher Wesley McGrew and showed him screen shots of hacked machines. That hacker, who went by the name XXxxImmortalxxXX, claimed to have hacked the Carrell Clinic systems, but McGrew soon linked the crime to GhostExodus and handed over his findings to authorities.

The group also compromised computers used by the Dallas Police and NASA, the FBI said in an affidavit. According to GhostExodus' journal, he appears to have found a cross-site scripting bug -- a common Web programming error -- on NASA's Web site.